New Release: Safely Remove Pendrive

14 February, 2009

Taking out pendrives without safely removing,
 may corrupt file system on pendrive
 and may make the pendrive completely unrecognizable and unusable.
So, you should always Safely Remove Pendrive before pulling it out.

Many times when you try to eject a pendrive it gives an error.
‘ Problem Ejecting USB Mass Storage Device ‘

Eg, if you are playing a song from pendrive and you try to safely remove, it won’t.
 media player, explorer.exe, etc. access the files and folders on pendrive,
 even if you stop playing them.
Also many viruses accesses the autorun.inf file and virus files in your pendrive.
This tool will help you to close the handles of the processes
 which are accessing files on pendrive.
So that you can safely remove the pen drive.

Download Link
http://piyushlabs.googlepages.com/SafelyRemovePendrive.zip

Hunt and Delete Virus Files

6 January, 2009

This small utility is a continuation of HealPenDrive.
I have added a few more options.
The best one is: This will help you to delete , what i call, “pattern files”.
Like a virus exe file inside every folder with the name of parent folder name
Eg: ..\songs\songs.exe
One more option is to hunt n delete files based on its size.

Its completely a “batch” file.
I went throgh various samples of batch file over net and learnt to code such programs. Its nice 🙂
So you can open and check its contents.

*Many of you have complained about HealPenDrive to be detected as virus. The thing is, that software is built by AutoIt software, which cannot (as far as i know) be run in exe debuggers to know its exact working. Most of AutoIt files are being put up suspicious by antiviruses there have been many viruses found built on AutoIt.

Link to download:
HuntAndDelete.zip

After 6 month

6 January, 2009

Hmm… after 6 months of silence. i’m back in this new year…

Sorry, i wont be able to reply to u all. So many comments. My God!
Just TRY to fix the problem it yourself…
C’mon you can do it.

Its semester break and i’m chilling out at my home. (its 6 degree C, i miss Bangalore’s warm climate)…
I learnt a bit of DOS BATCH file programming… its nice
I’ve a new year present for you. I’ll post tomo.

three nasty viruses in wild

4 June, 2008

First one=SVCHOST.EXE

It looks like Word File, (ref: my previous post).
The file name is *.scr , (ie screen saver file)
It hides your original word document and instead there a *.scr file is created which is of the same name of the word file.
For ex, you create a document Hello.doc and after you write on it and save it, the Hello.doc gets system hidden, and a file named Hello.scr is created which is having the same word icon.
In the administrator account, it makes such a change in registry that you will never be able to login to your account. When you click on your login name it logs in and suddenly logs out.
So, whenever opening word file, right click and check the options.
For virus file, it will be: open,run,run as,test,configure,etc
Once if you get the virus in limited user , never login to your admin. or else , as i said, it makes such a change in registry that you will nerver be able to login again.

Second=spoolsv.exe

the virus writer has done a quite much research on autorun property.
when you insert your pen drive, (if autorun is ON) , it asks for what to do, eg,
open using windows explorer, open using WMP, open using Nero, view photos using some s/w, etc.
but if it has this virus, it will say
“open using software provided on this device”
So, be careful.

After the virus is installed, i found no separte virus process, probably it injects some dlls
I am unable to find the solution yet.
its challenging… hmm…

Third=SHAHROKH.EXE

how come anyone misspell shahrukh khan. its so sad. : )
it creates AUTORUNS.EXE, and EXPLORER.EXE files.
the EXPLORER.EXE file is placed inside c:\windows\system32\ folder.
so, whenevre the comp starts , it doesnt load the genuine window’s EXPLORER.EXE but it runs the virus EXPLORER.EXE program.
This happens because in the “path” system32 directory has higher preference than windows directory…
now i think, y doesnt the windows’s EXPLORER.EXE is not placed in system32 folder.

My semester exams this month, so m going to hibernate, gud bye guys… be in touch.

Heal Antivirus Updated to 1.31

22 April, 2008

Now my antivirus scans for “Autorun.inf” file also.

(Most of the malwares use auorun.inf file’s properties to automaticallly install the virus whenever u double click the pendrive)
When u connect a pendrive with autorun.inf file, it automatically deletes that file and reports to the user. So u can freely double click your pen drives again.

It also fixes the double click problem on all drives, coz of existence of this “autorun.inf” file.

Scans all fixed and removable drives.

The option menu> checking and unchecking of Autorun.inf Guard is not working. i’ll soon fix that…

In the RegGuard,  i’ve also included the fix for registries for “scrfile” used by new SVCHOST, “Word-iconed” virus.

I started creating and came up with this all these versions software during nite before exam… my brain works faster during exams..  he he

Oh.. gotta study for tomo… cya guys…

Heal AntiVirus 1.1 uploaded

19 April, 2008

Hi guys

i have created a small antivirus tool which guards the regitries

And fixes corrupted registries

visit https://piyushlabs.wordpress.com/heal-antivirus/

New Virus Attack : (MS Word Icon) SVCHOST SPOOLSV

15 April, 2008

Discovered a new virus that resides in c:\Recycled

  • CTFMON.exe
  • SMSS.exe
  • SPOOLSV.exe
  • SVCHOST.exe

The icon of these files are EXCTLY like Microsoft Windows MS Word type

  • Icon : MS Word
  • Type of File: Application
  • Description: Microsoft Office Word
  • Size : 55.0 KB (56,320 bytes)
  • Size on disk: 56.0 KB (57,344 bytes)
  • File version : 11.0.5604.0
  • Copyright : Copyright © 1983-2003 Microsoft Corporation. All rights reserved.
  • Language : Language Neutral
  • etc

It adds to the startup at

  • HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
  • Explorer.exe “C:\recycled\SVCHOST.exe”

If you try to end task one of the process, the other processes make such changes in your system registry that u’ll be never again able to login to ur windows account. : ( [observed by me at some cases, still got to work out] The comp logs off as soon as you click on your account.

  • coz of changes to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Discovered

  • Place : rvce, bangalore
  • Dated : April 2, 2008
  • was present much earlier than this date

I’ll work on this soon, didn’t find any occurrence from anywhere else on my blog yet.

Kaspersky do not detect this virus yet, as on 15 april 2008.

Have a look at the virus file

Heal Pen Drive updated

1 April, 2008

I have been working for a few days to make my Heal for Pen Drive , a little more interactive.

So, i have used AutoIt software to make a very nice utility. It automatically finds the removable drive letter ; )

So get updated with this new utility.  And remove all the viruses from your pen drive.

regsvr.exe / rundll.exe / ‘Microsoft CorpAration’ virus details & heal uploaded

26 March, 2008

It has been quite many days. People have been reporting about this new virus. Thanks to Muthu Kumar, who sent me the virus file for find out the heal.

I really like this virus. It creates a lot of files and make a lot of registry changes. Finding the solution was really challenging. It is built with AutoIt , version unknown. Latest update of kaspersky do not detect this virus, unless it is scanned thoroughly.

not-a-virus:Monitor.Win32.007SpySoft.q       -> rundll.exe
Worm.Win32.AutoIt.s                                           -> regsvr.exe

The “Microsoft Corparation” tag is really confusing. Mind it, its Corp’a’ration, not Corp’o’ration … he he

I wont say my heal is totally complete, but still some more work i’m supposed to do with it, probably to fix some more registries that i still know what they do. Overall my heal will end task the virus files and restore most of the registries.

This virus/trojan keeps complete look on  the system, by taking snap shots every 30 seconds. Suppose u hav this virus for 30 days,just think how much space it will eat. lol

Like the recent coming viruses, even this virus makes exe file inside every folder with the name of the parent folder. (BUT only in the removable drives, this is what i found). It spreads via pen drives, leaving regsvr.exe, New Folder.exe, autorun.inf files in the root directory of pen drive and other <folder named> files inside.

So here is the solution…
https://piyushlabs.wordpress.com/regsvr/

One of my heals marked as Malware by Bitdefender

25 February, 2008

What sadness….

A few days back, aaronik told me that my heal for nhatquanglan has been marked as Malware by BitDefender. i just couldn’t believe that. But it was true…

its really sad, u creat a solution for some malware,
and after sometime ur software only is marked as malware.

my program doesn’t even add itself to the startup, nor it replicates..
i dont know why, it has been marked as malware.
if this is the case then probably, my other heals will also be marked as malwares and i might lose interest in making heals…


%d bloggers like this: